Search:
Recent Posts
Popular Topics
Contributors
Archives
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
Today, the European Commission (“EC”) adopted new standard contractual clauses (“SCCs”) reflecting new requirements under the European Union’s General Data Protection Regulation (“GDPR”). The SCCs are intended to provide standardized templates for companies to utilize to comply with the GDPR’s data protection requirements.
The newly adopted SCCs include the highly anticipated clauses for the transfer of personal data from the EU to third countries. The SCCs regarding data transfers – which modularly cover data transfers between controllers and controllers, controllers and processors, processors and processors, and processors to controllers – take into account the Schrems II judgment of the Court of Justice of the European Union, providing some examples of possible “supplementary measures” that companies can take to comply with the judgment, such as encryption. The EC also adopted a new set of SCCs concerning the relationship between controllers and processors to facilitate compliance with Articles 28 and 29 of the GDPR.
The “old” SCCs can continue to be used for data transfers for a period of three months beginning 20 days after the Commission’s implementing decision is formally published in the Official Journal of the EU. SCCs already concluded can continue to be used for an additional 15 months. So agreements with the “old” SCCs will continue to be valid for 18 months.
Partner|Steve Wernikoff is a litigation and compliance partner who co-leads the Data, Privacy, and Cybersecurity practice and the Autonomous Vehicle group. As a previous senior enforcement attorney at the Federal Trade Commission's ...